Trusting Intel…

“ME has access to everything that is important. It has unconstrained access to DRAM, to the actual CPU, to GPU, it can also talk to your networking card, especially your Ethernet card, the controller for which is also in the Southbridge in the processor. It also has its own dedicated partition on the SPI Flash which can be used to store whatever ME wants to store there. This is really problematic, and we don’t know what it runs.”

See Trustworthy x86 laptops? There is a way, says system-level security aceSoftware, firmware, hardware, they are all powerful and essential… but can you trust them? In the wrong hands all of them can be tools of those who are out to get you one way or another. With governments and corporations abounding that want to snoop or copy or sabotage there are plenty of bad apples in the barrel. We can do something about this with FLOSS, that’s one of many reason to love FLOSS. Firmware is another matter if we just accept binary blobs without understanding. Then there’s the hardware.

What if your CPU, the all-knowing, singing, dancing CPU that can do thousands of things at once with access to your hardware, software, data and networks is compromised by the maker? Do you feel lucky? Well, do you, punk? (Dirty Harry). Intel has been the big maker of PC and server CPUs. They want to add their own binary blob right into their CPUs. It’s their leverage, their way of “adding value”, but is it good for your security to have a back door deliberately installed in the heart of your hardware? Do you trust ultimately Intel, the corporation that used to pay OEMs not to install a competitor’s CPUs? They do lack a certain morality, far below the bare minimum we require of any supplier. AMD may be no better even though they were Intel’s victim. They are struggling. Would they be willing to do the same given a sweet deal by some government or criminal organization? We just don’t know.

ARM may be a bit better because of their openness but they don’t produce chips directly. They provide building blocks. Any malware can be built into units containing the ARMed hardware we all love.

Thin clients can help by keeping important data away from the CPUs but that still leaves in doubt the hardware of the servers and even the networking chips. At any stage malware can be given a free ride on stuff you own. Is it hopeless? Not quite. We still have the possibility of having open hardware right down to the masks used in the fabrication of chips. That has to happen before all this IT can be fully trusted. Given the present climate, I expect to see cloud-funded masks for FABs within a few years. We’ll have to render binary blobs in firmware also transparent. It will happen. We have the power. Just stop buying that other stuff until the required transparency is available.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.

12 Responses to Trusting Intel…

Security by obscurity uses as why closed source could be more secure has got security by fear around the wrong way. If software developers have nothing to make them fear being detected the code quality will not be in the code base.

There is a saying security by fear is something true. 90 percent plus of security is bluff.

So security stickers advertising security system, Fake security cameras and on on work 90 percent of the time just as effectively as having real ones.

Same with software security. If the person providing you stuff knows the fact you can in fact properly audit what they are providing 90 percent of the time they will not attempt anything under handed. If you perform the audit or not that is a completely different matter.

The belief that the item could Audited is the biggest deterrent to under handed actions. Not that Audit is performed. Performing the audit against a party that believes the item could be properly audited you are looking at catching less than 10 percent of the problem.

Security by obscurity uses as why closed source could be more secure has got security by fear around the wrong way. If software developers have nothing to make them fear being detected the code quality will not be in the code base.

kurkosdr a fully trusted system from a security point of view depends on the means to Audit. Having code running in a blackbox that you cannot see what is being executed fails the means to audit. Now you can have the means to fully audit system without having the means to change code in a secured section.

Sorry kurkosdr with an arm processor you can pay the money to see the reference design from arm have your own staff inspect it. After make of chip use inspection tech to make sure the chip is in fact made to spec. Then run your own software on it as a government. Problem here is how to make phones/computer tech simple to validate as safe to normal users.

Trust some one is the first thing you learn about security. Proper hardened security is not based on trust but the means to audit actions.

Otherwise you ‘ll end up ripping off the bezel of your TV for hidden cameras and ripping apart your car’s upholstery for hidden microphones, with a tinfoil hat and “I want to believe” posters in your walls.
If you do most of that you are a idiot. Some TV come with cameras built in always watching who is sitting in front of them.

Electronic based microphones in fact give off a RF signal unless properly shield. Properly shield also means putting in enough metal findable with an ultrasonic search. Again non destructive.

Passive microphone devices are far harder to find. They work on either fiber optic line picking up sound or some metal object that when hit with a radio signal becomes active and sound causes the object to alter the radio signal reflected back. Yes this could be as simple as a food cover brought into room. Of course in car upholstery there is no need to rip it apart to check if it to spec.

Tinfoil hat could in fact allow you to get sleep if where you are has a electromagnetic ELF or VLF problem. Yes putting on a Tinfoil hat and attempting to sleep is a test for environmental problems. If you cannot move out it can be quite a suitable solution to allow you mind to operate properly. Ok looks stupid but its better to look stupid than be sleep deprived and be a hazard to yourself and everyone else.

Sleep labs have very thick walls of sound proofing for many reasons. Yes tinfoil hat does not allow you to sleep next stop sleep lab to find out if you have a problem and if you don’t have a problem you are then looking a sound based ELF/VLF what is a lot harder to deal with.

Yes the joke made over tinfoil hats complete ignore the medial usages of them. Yes even in a sleep lab due to the cameras and everything else in the room there might be electromagnetic noise in the room disturbing you sleep if suspected they give you a conductive ski-mask that does basically the same job as tin foil hat. Advantage they have conductive and non conductive masks so blind testing on your part.

Lack of sleep for along time could explain how some people end up massively nutty.

Yes the –“I want to believe” posters in your walls– on walls and the destructiveness caused by a idiot who does not know better could be the direct result of ELF/VLF exposure causing lack of sleep so crippled thinking. Only thing with any merit todo out of the list was the tin foil hat.

shielded rooms and so on all depend on person not bringing something as simple as a phone with battery in. Of course person leaving their phone in a locker could be another risk as tracking software could be added to phone to aid in kidnapping.

Most of the documents on making a harden setup are open to the public because a lot of it needs third party review to make sure nothing has been over looked.

Its like the fact you get can past Ultrasonic and PIR motion detectors with something as simple as a bed sheet of the right materials so harden security set up are not to depend on these alone.

If someone has had physical access to your hardware you can forget about security. Those who have worked in “secure computing environments” are well familiar with the measures taken: air-gaps, shielded rooms, hardware in transparent cases so security cleared operators could spot any changes, security seals, guards, alarm systems, special reduced instruction set “Unix like” operating systems, ancient hardware bridges to the outside world, …

The list goes on. Unfortunately, most of it is classified. But back to the first statement.
Never forget it!

What if that steak you just ate was from a super intelligent space cow that would have taught mankind to live in peace and harmony before it was mistaken for a normal cow and slaughtered for that steak?

Can you live with yourself? Does it matter?

Of course not. Buy whatever the hell you want, just don’t do mental gymnastics to justify it.

Dear Pog, how do you trust that your ethernet card’s chip, or the cellular modem of your beloved android phone, are not sending duplicates of your packets (or at least the most interesting ones) to a third party IP, coverty without your OS knowing it? Same question for your router.

Do you trust the chip just because it’s a chip and not firmware? Do you trust that current Northbridges and CPU are not doing what you describe in your post?

At some point, you have to trust someone. Otherwise you ‘ll end up ripping off the bezel of your TV for hidden cameras and ripping apart your car’s upholstery for hidden microphones, with a tinfoil hat and “I want to believe” posters in your walls.

Also, chill out. The NSA (boooo!) got info from cloud Microsoft, Google etc accounts because there is a clause in the TOS that allows MS and Google to do that.

You get no such TOS when buying hardware. And you won’t because unlime the cloud, it’s the corp that has your data but you, hence they don’t have responsibility for them.

My Mission

My observations and opinions about IT are based on 40 years of use in science and technology and lately, in education. I like IT that is fast, cost-effective and reliable. I do not care whether my solution is the same as yours. I like to think for myself.

My first use of GNU/Linux in 2001 was so remarkably better than what I had been using, I feel it is important work to share GNU/Linux with the world. I have been blessed by working in schools where students and school systems have benefited by good, modular software easily installed in most systems.

I have shown GNU/Linux to thousands of students and hundreds of teachers over the years and will continue in some way doing that until I die in spite of the opposition.